03-19-2020 01:15 AM
We would like to use 2 DNS servers in ISE 2.6 First for resolution of ISE personas, DNAC and network services (like Backup, LDAP, NTP,...). Second for resolution of Active Directory, network authentication devices and endpoints. Is this somehow possible in ISE ?
Solved! Go to Solution.
03-19-2020 03:10 PM
Hi,
If you want AD integration and you want it to work, all DNS servers configured in ISE need to respond for relevant AD queries, thus need to be DNS servers members of your AD scheme. This is NOT an ISE restriction, ISE just conforms with AD Restrictions Options:
1. configure your internal DNS servers in ISE for AD integration (firewall rule to allow ISE speak DNS with internal DNS server), and for ISE to resolve public FQDN, you configure your internal DNS server as a forwarder towards your DMZ internal server (this should already be done if you don't have a proxy for user Internet access, as some DNS server needs to resolve Internet resources).
2. Deploy a read-only Domain Controller in DMZ, use it as DNS server, and point ISE towards this DNS server, which in turn is used to forward Internet FQDN resolution to your other DNS server from DMZ; this way you never expose the read-only DC to the internet, neither inbound, neither outbound; even though it's more secure by design, being read-only, you still don't expose it to the Internet.
Regards,
Cristian Matei.
03-19-2020 01:53 AM
I think it's possible.
ISE will support multi domain .03-19-2020 02:19 AM
Hi,
Your best and only call would be to have 2 or more DNS servers, which actually are DNS servers members of your Active Directory, and those DNS servers need to be able to resolve everything, either directly (for AD resources), either by forwarding the request to another DNS server which resolves public resources.
Is there a specific reason for you wanting to "separate" the DNS queries, like AD based DNS queries, and other DNS based queries?
Regards,
Cristian Matei.
03-19-2020 03:46 AM
Our plan is to have ISE, DNAC and network services in DMZ with dedicated DNS server and our AD (with intergrated DNS) is in "office" network. These 2 DNS servers are not linked for security reasons.
So you mean, that only solution is to set our DMZ DNS server as DNS server in ISE and on DMZ DNS server setup some kind of conditional forwarder, that if ISE want to resolve DNS name from AD, DMZ DNS server will forward this request to our "office" DNS (AD) ?
03-19-2020 03:10 PM
Hi,
If you want AD integration and you want it to work, all DNS servers configured in ISE need to respond for relevant AD queries, thus need to be DNS servers members of your AD scheme. This is NOT an ISE restriction, ISE just conforms with AD Restrictions Options:
1. configure your internal DNS servers in ISE for AD integration (firewall rule to allow ISE speak DNS with internal DNS server), and for ISE to resolve public FQDN, you configure your internal DNS server as a forwarder towards your DMZ internal server (this should already be done if you don't have a proxy for user Internet access, as some DNS server needs to resolve Internet resources).
2. Deploy a read-only Domain Controller in DMZ, use it as DNS server, and point ISE towards this DNS server, which in turn is used to forward Internet FQDN resolution to your other DNS server from DMZ; this way you never expose the read-only DC to the internet, neither inbound, neither outbound; even though it's more secure by design, being read-only, you still don't expose it to the Internet.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide